Dynamic Access Control (DAC) - Part 5: Effective Access

In the last part of this series about Dynamic Access Control (DAC) in Windows Server 2012 we use the Effective Access tool in Windows Server 2012 to test DAC.
Latest posts by Timothy Warner (see all)

The scenario ^

The following figure graphically illustrates the simple, real-world scenario upon which we base our study of DAC:

Our Dynamic Access Control scenario

Our Dynamic Access Control scenario

We have three computers in our test network:

  • DCNUGGET: Windows Server 2012 domain controller
  • MEMNUGGET: Windows Server 2012 file server that will host DAC-protected shared resources
  • CLINUGGET: Windows 8 client computer

If you read through this series, then you’ve performed the following actions in your test environment:

  • Defined user claims
  • Defined resource properties
  • Published the resource property list to your file server
  • Created a Central Access Rule and associated it with a Central Access Policy
  • Used Group Policy to deploy the Central Access Rule to your file server
  • Tagged the target shared folder with resource properties

Our final step in this process is to test user access to the CORPDOCS shared folder.

Testing DAC with Effective Access ^

Connect to your file server, locate your shared folder, and open its Properties sheet. Next, navigate to the Effective Access tab. Click the Resource Properties disclosure arrow to verify that the folder has tagged metadata. I show you the interface in Figure 2.

Viewing Effective Access to a DAC-protected resource

Viewing Effective Access to a DAC-protected resource

NOTE: You should also navigate to the Central Policy tab and verify that the folder is attached to your published Central Access Policy.

In the Advanced Security Settings dialog box, click Select a user and browse to a representative user account. In my case, I brought up a test user named Jeff Gibson who works in Nashville but not in the RD department.

Viewing a user's effective access

Viewing a user's effective access

As you can see, you can easily analyze whether the given user is granted or denied access to the DAC-protected resource. What’s even better, Windows shows you whether the access comes from a Central Access Policy, NTFS permissions, or both.

Click the Include a user claim link in the Advanced Security Settings dialog to model how the user’s access changes if his user claims are modified. In my case, I changed Jeff’s claims to match the Nashville location and the RD department.

Taking a look at Figure 4, you’ll observe that my user Jeff Gibson would now have access to the CORPDOCS folder.

Modeling access to DAC resources

Modeling access to DAC resources

Conclusion ^

For those of us with years of experience managing shared file resources by using share and NTFS permissions, Dynamic Access Control presents us with a learning curve and an altered paradigm toward IT security and least privilege.

However, I think you’d agree with me that, once you get the hang of it, DAC ultimately makes it easier to apply least privilege access in a powerful and flexible way. Be on the lookout for my 4sysops blog post on security auditing; Windows Server 2012 now allows us to track detailed access metadata for DAC resources.

Please see the following online resources if you want some more detail. Please let me know in the comments of this post if you’d like me to develop a full tutorial for Dynamic Access Control deployment.

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads and for free by becoming a member!

1+
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account